GhostCat Vulnerability.

Why is this vulnerability called Ghostcat ?

It was hidden like a ghost into Apache Tomcat for more than a decade. GhostCat affects all versions of Tomcat in the default configuration. This was confirmed that it affected all versions of Tomcat 9/8/7/6.

CVE-2020-1938 || High: AJP Request Injection and potential Remote Code Execution.

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Prior to Tomcat 9.0.31, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required.

Prior to this vulnerability report, the known risks of an attacker being able to access the AJP port directly were:

• bypassing security checks based on client IP address
• bypassing user authentication if Tomcat was configured to trust authentication data provided by the reverse proxy

This vulnerability report identified a mechanism that allowed the following:

• returning arbitrary files from anywhere in the web application including under the WEB-INF and META-INF directories or any other location reachable via ServletContext.getResourceAsStream()
• processing any file in the web application as a JSP

Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible.

It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defense-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31 or later. Users should note that a number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31 or later will need to make small changes to their configurations as a result.

This was fixed with commits 0e8a50f0, 9ac90532, 64fa5b99, 7a1406a3 and 49ad3f95.

This issue was reported to the Apache Tomcat Security Team on 3 January 2020. The issue was made public on 24 February 2020.

Affects: 9.0.0.M1 to 9.0.30

What is Tomcat AJP Connector?

Tomcat Connector is the channel for Tomcat to connect to the outside. It enables Catalina to receive requests from the outside, pass them to the corresponding web application for processing, and return the response result of the request.

By default, Tomcat is configured with two Connectors, which are HTTP Connector and AJP Connector:

HTTP Connector: used to process HTTP protocol requests (HTTP/1.1), and the default listening address is 0.0.0.0:8080

AJP Connector: used to process AJP protocol requests (AJP/1.3), and the default listening address is 0.0.0.0:8009

HTTP Connector is used to provide HTTP Web services that we often use. The AJP Connector uses the AJP protocol (Apache Jserv Protocol). The AJP protocol can be understood as a performance-optimized version of the HTTP protocol in binary format. It can reduce the processing cost of HTTP requests, so it is mainly used in scenarios that require clustering or reverse proxy.

What can Ghostcat do?

By exploiting the Ghostcat vulnerability, an attacker can read the contents of configuration files and source code files of all web apps deployed on Tomcat.

In addition, if the website application allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files, etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability, which finally can result in remote code execution.

What versions of the Tomcat are affected?

Apache Tomcat 9.x < 9.0.31

Apache Tomcat 8.x < 8.5.51

Apache Tomcat 7.x < 7.0.100

Apache Tomcat 6.x

Under what circumstances can Tomcat be exploited ?

If the AJP Connector is enabled and the attacker can access the AJP Connector service port, there is a risk of being exploited by the Ghostcat vulnerability.

It should be noted that the Tomcat AJP Connector is enabled by default and listens at 0.0.0.0:8009.

How can I fix it?

Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.

To fix this vulnerability correctly, you first need to determine if the Tomcat AJP Connector service is used in your server environment:

- If no cluster or reverse proxy is used, you can basically determine that AJP is not used.

- Otherwise, you need to figure out if the cluster or reverse server is communicating with the Tomcat AJP Connector service.

1. If the AJP Connector service is not used:

If the AJP Connector service is not used, you can directly upgrade Tomcat to version 9.0.31, 8.5.51, or 7.0.100 for vulnerability fix.

If you can’t do upgrade, you can choose to disable the AJP Connector directly, or change its listening address to the localhost.

Steps:

(1)Edit <CATALINA_BASE>/conf/server.xml，find the following line (<CATALINA_BASE> is the Tomcat work directory):

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

(2)Comment out it (or just delete it):

<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->

(3)Save the edit, and then restart Tomcat.

In addition to the above measures, of course, you can also use firewalls to prevent untrusted sources from accessing the Tomcat AJP Connector service port.

2. If the AJP Connector service is in use:

If the AJP Connector service is in use, we recommend that you upgrade Tomcat to version 9.0.31, 8.5.51, or 7.0.100, and then configure the “secret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET" />

If you can’t do an upgrade, you can configure the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_TOMCAT_AJP_SECRET" />

(Note that you must change the above “YOUR_TOMCAT_AJP_SECRET” to a safer value that cannot be easily guessed or cracked.)

Source: http://tomcat.apache.org/security-9.html , https://www.chaitin.cn/en/ghostcat